From a7cf5675677cf6eef8a1cdf8e5d2c532ebaa08b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 18 Oct 2024 12:40:57 +0200
Subject: [PATCH] Import CA certificates for extra repository files

If extra repositories are located on an HTTPS server with
a certificate signed by a private authority, additional CA
certificates need to be trusted in the container. Otherwise, DNF
invoked in the container will fail to access the repositories:

        STEP 6/15: RUN set -x &&     dnf -y --refresh upgrade;     dnf -y install dnf-plugins-core;     dnf -y copr enable rpmsoftwaremanagement/test-utils;
        + dnf -y --refresh upgrade
        [...]
        Tag repository for rhel-9.6.0-candidate (x86_64 0.0  B/s |   0  B     00:00
        Errors during downloading metadata for repository 'baseos-ci-tag-repository':
          - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://[...]/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
        Error: Failed to download metadata for repo 'baseos-ci-tag-repository': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
---
 Dockerfile          | 4 ++++
 README.md           | 4 ++++
 ca-trust/.gitignore | 1 +
 3 files changed, 9 insertions(+)
 create mode 100644 ca-trust/.gitignore

diff --git a/Dockerfile b/Dockerfile
index a3bb3c4fc..264ecf4d9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,6 +13,10 @@ RUN set -x && \
     echo -e "deltarpm=0" >> /etc/dnf/dnf.conf && \
     echo -e "install_weak_deps=0" >> /etc/dnf/dnf.conf
 
+# Import extra CA certificates
+COPY ./ca-trust/ /etc/pki/ca-trust/source/anchors/
+RUN update-ca-trust
+
 # Copy extra repo files
 COPY ./repos.d/ /etc/yum.repos.d/
 
diff --git a/README.md b/README.md
index 473585a81..12c7d2606 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,10 @@ default:
 If any additional repositories are needed to be added to the container image,
 you can place them into the `repos.d` directory (mainly useful for RHEL).
 
+If any additional CA certificates are needed to be trusted in the container
+image, e.g. for the additional repositories, you can place them into the
+`ca-trust` directory.
+
 During the build, any RPMs found in the `rpms` directory are installed in the
 image. Place your RPMs to be tested in this directory.
 
diff --git a/ca-trust/.gitignore b/ca-trust/.gitignore
new file mode 100644
index 000000000..72e8ffc0d
--- /dev/null
+++ b/ca-trust/.gitignore
@@ -0,0 +1 @@
+*